Skip to content

Collecting data from pod


ID: MS-TA9041
Tactic: Collection
MITRE technique:

Using Kubernetes administrative commands an attacker can collect information from a pod without having to get direct access to that pod. One example of such a command is kubectl cp which can be used to copy files to and from pods.

Another example is Kubelet Checkpoint API which can be used to create a stateful copy of a running container. Typically a checkpoint contains all memory pages of all processes in the checkpoint container. This means that everything that used to be in memory is now available on the local disk. This includes all private data and possibly keys used for encryption.


ID Mitigation Description
MS-M9003 Adhere to least-privilege principle Adhere to least-privilege principle to prevent users from checkpoint or running kubectl cp commands. kubectl cp wraps exec command which runs a tar process. Preventing exec into a container would effectively restrict kubectl cp command.
MS-M9010 Restrict Exec Commands on Pods Restrict checkpoint and other commands on pods using admissions controller.